Disassembling the Design: Exploring a Vulnerability in the CAN Standard

July 13, 2022
VicOne
Disassembling the Design: Exploring a Vulnerability in the CAN Standard

In 2015, security researchers Charlie Miller and Chris Valasek famously hacked a Chrysler Jeep. Like other hacks before it, this hack depended on a particular car make or brand. This kind of hack is usually helpful to the automotive industry, as vulnerabilities discovered in such hacks are then quickly resolved once researchers inform manufacturers of them.

In contrast to make- or brand-specific attacks, the hack conducted through the collaborative research of Trend Micro Research, Politecnico di Milano, and Linklayer Labs attempted to find out what would happen if an attack were stealthy, vendor-neutral, and capable of drastically affecting a car’s performance and function.

A unique proof of concept

One remarkable aspect of this hack is that it can disable devices like a car’s airbag, parking sensors, and active safety systems in a way that state-of-the-art car security systems can’t detect. This hack therefore reiterates the call to fortify the cyber-physical systems of cars — a task that car manufacturers, standardization bodies, and decision-makers share. Notably, this hack requires widespread changes not just in security standards but also in the ways that both in-vehicle networks and devices are made. If attackers were to successfully pull off this hack, over-the-air (OTA) upgrades would not suffice. Instead, the resolution would need to be applied to an entire generation of vehicles to address the threat.

In response to this vendor-neutral attack, some vendors might use non-standard countermeasures. This underlines the need for anticipatory cybersecurity in cars that goes beyond the possible threats previously revealed by Miller and Valasek’s hack. Currently, responding to the threats presented by the Jeep hack is more feasible with an aftermarket intrusion detection system (IDS) and intrusion prevention system (IPS) and the option of car manufacturers to upgrade the running software on a car device to address exploited vulnerabilities in the Jeep hack.

A different countermeasure

In contrast, the joint research discussed here leveraged a security issue involving how the very car device network functions: In short, even if car manufacturers were to resort to network-specific countermeasures, this would only serve to mitigate the impact of the attack. To resolve it completely, a more drastic measure is needed — adopting and implementing an update in the Controller Area Network (CAN) standard in a whole new generation of cars.

In a speech at the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA) conference in 2017, Federico Maggi, senior threat researcher at Trend Micro, elaborated on how the attack abuses CAN, the network protocol connecting all in-vehicle equipment and systems.

A brief history of CAN

The CAN protocol, which allows car devices and systems to communicate with one another, also enables them to function automatically — a nonnegotiable trait especially in emergencies. If the CAN protocol were to fail, for example, a car’s airbag system might also fail to phone home in case of an accident.

Although initially developed by Bosch in 1983, it was only in 1993 that the International Organization for Standardization (ISO) accepted CAN as a standard, resulting in ISO 11898 for road vehicles. Today, nearly all light-duty vehicles in circulation follow this standard.

Exploiting the CAN vulnerability

CAN messages and errors are called “frames.” Whenever there is a disjunction between the values read by a car device and the original expected value on a frame, this creates an error. When a car device detects this, it writes a message to “recall” the errant frame and notify other devices so that they ignore the errant frame. The attack in question focuses on how CAN handles these errors.

When a device sends too many error messages, the CAN standard mandates that the device must enter a “Bus Off” state. In this state, the device is isolated from CAN and prevented from reading or writing any data onto it. This fault-containment mechanism is useful in preventing a malfunctioning device from affecting others and affecting the overall performance of a vehicle. The attack abuses this feature by inducing enough errors that cause the targeted device or system on the CAN to go into a Bus Off state, possibly leading to fatal situations — not just in accidents that need to trigger the airbag system but also in situations where the antilock braking system is deactivated by attackers.

For threat actors, a specially crafted device introduced to the CAN via local access, together with the reuse of frames already in the CAN (versus injecting new ones), would be enough for them to launch a successful attack. Again, it’s important to note that this attack would be difficult to mitigate as it has to do with a vulnerability in the very design of CAN.

Local access today

There are two other points worth noting about this attack. First, it is possible to enable it using any remotely exploitable vulnerability as long as it allows threat actors to reprogram the electronic control unit (ECU) firmware of a car. Secondly, car manufacturers and security analysts should not take local attacks lightly: Today, transportation trends like ride sharing, carpooling, and renting vehicles are part of everyday life. Unfortunately, this also means that local access to a single car is now more commonplace, necessitating a paradigm shift in automotive cybersecurity to cover all these new possibilities.

Moving forward, the following long-term solutions against similar exploits are recommended:

  • Network segmentation or topology alteration. Doing either of these can stop target error-flooding from affecting a system.
  • Regulated OBD-II diagnostic port access. A special hardware key or password to open the case where the port is located could protect the CAN from the introduction of unauthorized devices. A software-level authentication to allow traffic to and from the port might also help.
  • Encryption. When CAN frame ID fields are encrypted, this can stop attackers from identifying frames they can target. Encryption also creates a noisier and detectable attack pattern.

Trend Micro’s tech brief titled “A Vulnerability in Modern Automotive Standards and How We Exploited It” provides a full exposition of this vulnerability in the CAN design.

To read more research on other possible vulnerabilities in connected vehicle design and learn best security practices, visit our resource center.

Our News and Views

Gain Insights Into Automotive Cybersecurity

Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us